The recent update of ExpressVPN to Lightway aims to develop "the VPN protocol of the future."

ExpressVPN has taken a significant step by rewriting its Lightway protocol, migrating it from C to Rust, with the intention of transforming the VPN industry and providing a "safer and high-performance" Lightway for its users. The modernization to Rust ensures that the code remains open, allowing anyone with the proper knowledge to verify its functionality and security. Two independent audits, conducted by Cure53 and Praetorian, have already confirmed that the enhanced service is private and secure.

ExpressVPN’s integrated VPN router, Aircove, is the first platform to support the new Lightway, and in the coming months, the upgrade will roll out to all other devices, starting with the Android version, expected to be available by the end of March.

Lightway was developed and launched in 2020 with the goal of providing fast, secure, and reliable connections. The upgrade to Rust seeks to continue this promise, laying the groundwork for the future of VPN connectivity. According to Pete Membrey, Director of Research at ExpressVPN, the choice of Rust was natural, as it is widely recognized as a high-performance, safe, and reliable language.

Rust offers three key advantages: greater security, better performance, and simplicity in extension. Its design incorporates memory safety, reducing the risk of common vulnerabilities found in C. Additionally, its code is simpler, resulting in lighter, faster, and less power-hungry VPN connections. Rust's modern architecture will also facilitate the implementation of security fixes and new features for Lightway, which is beneficial in the context of the race for post-quantum security.

The independent audits have thoroughly analyzed the new Lightway and found no significant vulnerabilities. Praetorian reported only two low-risk findings, and Cure53 reported five, four of which were classified as "miscellaneous" with low exploitation potential. ExpressVPN has addressed all observations, and future audits will be able to validate these fixes.

Aaron Engel, Chief Information Security Officer of ExpressVPN, emphasized that the investment in dual audits by independent firms was crucial for obtaining a diverse perspective on the new Lightway codebase. ExpressVPN's transparency remains high, as anyone can access the Lightway source code on the company's GitHub page.

With Lightway 2.0, ExpressVPN aims to set a new standard for future VPN protocols, where security, performance, and efficiency go hand in hand. However, ExpressVPN's goal is not limited to improving its own product; the company hopes the entire industry will adopt these innovations, inviting others to test Lightway and consider its potential implementation.

Lauren Hendry Parsons, Director of Communications and Advocacy, highlighted that promoting digital rights is their primary objective and that the Lightway in Rust could also be applied in decentralized VPN solutions. Pete Membrey added that they hope Lightway will be seen as a valuable tool in the industry, emphasizing its application in military contexts due to its speed and post-quantum security. Thus, Lightway's commitment is not only to serve ExpressVPN users but also to contribute significantly to technology development across the entire VPN industry.